1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
|
/*
* Copyright (C) 2000 Nikos Mavroyanopoulos
* Copyright (C) 2004 Free Software Foundation
*
* This file is part of GNUTLS.
*
* The GNUTLS library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*/
/* Here lies the code of the gnutls_*_set_priority() functions.
*/
#include "gnutls_int.h"
#include "gnutls_algorithms.h"
#include "gnutls_errors.h"
#include <gnutls_num.h>
/**
* gnutls_cipher_set_priority - Sets the priority on the ciphers supported by gnutls.
* @session: is a &gnutls_session_t structure.
* @list: is a 0 terminated list of gnutls_cipher_algorithm_t elements.
*
* Sets the priority on the ciphers supported by gnutls.
* Priority is higher for ciphers specified before others.
* After specifying the ciphers you want, you must append a 0.
* Note that the priority is set on the client. The server does
* not use the algorithm's priority except for disabling
* algorithms that were not specified.
**/
int gnutls_cipher_set_priority(gnutls_session_t session, const int *list)
{
int num = 0, i;
while (list[num] != 0)
num++;
if (num > MAX_ALGOS)
num = MAX_ALGOS;
session->internals.cipher_algorithm_priority.algorithms = num;
for (i = 0; i < num; i++) {
session->internals.cipher_algorithm_priority.priority[i] = list[i];
}
return 0;
}
/**
* gnutls_kx_set_priority - Sets the priority on the key exchange algorithms supported by gnutls.
* @session: is a &gnutls_session_t structure.
* @list: is a 0 terminated list of gnutls_kx_algorithm_t elements.
*
* Sets the priority on the key exchange algorithms supported by gnutls.
* Priority is higher for algorithms specified before others.
* After specifying the algorithms you want, you must append a 0.
* Note that the priority is set on the client. The server does
* not use the algorithm's priority except for disabling
* algorithms that were not specified.
**/
int gnutls_kx_set_priority(gnutls_session_t session, const int *list)
{
int num = 0, i;
while (list[num] != 0)
num++;
if (num > MAX_ALGOS)
num = MAX_ALGOS;
session->internals.kx_algorithm_priority.algorithms = num;
for (i = 0; i < num; i++) {
session->internals.kx_algorithm_priority.priority[i] = list[i];
}
return 0;
}
/**
* gnutls_mac_set_priority - Sets the priority on the mac algorithms supported by gnutls.
* @session: is a &gnutls_session_t structure.
* @list: is a 0 terminated list of gnutls_mac_algorithm_t elements.
*
* Sets the priority on the mac algorithms supported by gnutls.
* Priority is higher for algorithms specified before others.
* After specifying the algorithms you want, you must append a 0.
* Note that the priority is set on the client. The server does
* not use the algorithm's priority except for disabling
* algorithms that were not specified.
**/
int gnutls_mac_set_priority(gnutls_session_t session, const int *list)
{
int num = 0, i;
while (list[num] != 0)
num++;
if (num > MAX_ALGOS)
num = MAX_ALGOS;
session->internals.mac_algorithm_priority.algorithms = num;
for (i = 0; i < num; i++) {
session->internals.mac_algorithm_priority.priority[i] = list[i];
}
return 0;
}
/**
* gnutls_compression_set_priority - Sets the priority on the compression algorithms supported by gnutls.
* @session: is a &gnutls_session_t structure.
* @list: is a 0 terminated list of gnutls_compression_method_t elements.
*
* Sets the priority on the compression algorithms supported by gnutls.
* Priority is higher for algorithms specified before others.
* After specifying the algorithms you want, you must append a 0.
* Note that the priority is set on the client. The server does
* not use the algorithm's priority except for disabling
* algorithms that were not specified.
*
* TLS 1.0 does not define any compression algorithms except
* NULL. Other compression algorithms are to be considered
* as gnutls extensions.
*
**/
int gnutls_compression_set_priority(gnutls_session_t session,
const int *list)
{
int num = 0, i;
while (list[num] != 0)
num++;
if (num > MAX_ALGOS)
num = MAX_ALGOS;
session->internals.compression_method_priority.algorithms = num;
for (i = 0; i < num; i++) {
session->internals.compression_method_priority.
priority[i] = list[i];
}
return 0;
}
/**
* gnutls_protocol_set_priority - Sets the priority on the protocol versions supported by gnutls.
* @session: is a &gnutls_session_t structure.
* @list: is a 0 terminated list of gnutls_protocol_t elements.
*
* Sets the priority on the protocol versions supported by gnutls.
* This function actually enables or disables protocols. Newer protocol
* versions always have highest priority.
*
**/
int gnutls_protocol_set_priority(gnutls_session_t session, const int *list)
{
int num = 0, i;
while (list[num] != 0)
num++;
if (num > MAX_ALGOS)
num = MAX_ALGOS;
session->internals.protocol_priority.algorithms = num;
for (i = 0; i < num; i++) {
session->internals.protocol_priority.priority[i] = list[i];
}
/* set the current version to the first in the chain.
* This will be overridden later.
*/
if (num > 0)
_gnutls_set_current_version(session, list[0]);
return 0;
}
/**
* gnutls_certificate_type_set_priority - Sets the priority on the certificate types supported by gnutls.
* @session: is a &gnutls_session_t structure.
* @list: is a 0 terminated list of gnutls_certificate_type_t elements.
*
* Sets the priority on the certificate types supported by gnutls.
* Priority is higher for types specified before others.
* After specifying the types you want, you must append a 0.
* Note that the certificate type priority is set on the client.
* The server does not use the cert type priority except for disabling
* types that were not specified.
**/
int gnutls_certificate_type_set_priority(gnutls_session_t session,
const int *list)
{
#ifdef USE_OPENPGP
int num = 0, i;
while (list[num] != 0)
num++;
if (num > MAX_ALGOS)
num = MAX_ALGOS;
session->internals.cert_type_priority.algorithms = num;
for (i = 0; i < num; i++) {
session->internals.cert_type_priority.priority[i] = list[i];
}
return 0;
#else
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
#endif
}
/**
* gnutls_set_default_priority - Sets some default priority on the cipher suites supported by gnutls.
* @session: is a &gnutls_session_t structure.
*
* Sets some default priority on the ciphers, key exchange methods, macs
* and compression methods. This is to avoid using the gnutls_*_priority() functions, if
* these defaults are ok. You may override any of the following priorities by calling
* the appropriate functions.
*
* The order is TLS1, SSL3 for protocols.
* RSA, DHE_DSS, DHE_RSA for key exchange
* algorithms. SHA, MD5 and RIPEMD160 for MAC algorithms.
* AES_256_CBC, AES_128_CBC, 3DES_CBC,
* and ARCFOUR_128 for ciphers.
*
**/
int gnutls_set_default_priority(gnutls_session_t session)
{
static const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
static const int kx_priority[] =
{ GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, 0 };
static const int cipher_priority[] = {
GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0
};
static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 };
static const int mac_priority[] =
{ GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 };
gnutls_cipher_set_priority(session, cipher_priority);
gnutls_compression_set_priority(session, comp_priority);
gnutls_kx_set_priority(session, kx_priority);
gnutls_protocol_set_priority(session, protocol_priority);
gnutls_mac_set_priority(session, mac_priority);
return 0;
}
/**
* gnutls_set_default_export_priority - Sets some default priority on the cipher suites supported by gnutls.
* @session: is a &gnutls_session_t structure.
*
* Sets some default priority on the ciphers, key exchange methods, macs
* and compression methods. This is to avoid using the gnutls_*_priority() functions, if
* these defaults are ok. This function also includes weak algorithms.
* The order is TLS1, SSL3 for protocols, RSA, DHE_DSS,
* DHE_RSA, RSA_EXPORT for key exchange algorithms.
* SHA, MD5, RIPEMD160 for MAC algorithms,
* AES_256_CBC, AES_128_CBC,
* and 3DES_CBC, ARCFOUR_128, ARCFOUR_40 for ciphers.
*
**/
int gnutls_set_default_export_priority(gnutls_session_t session)
{
static const int protocol_priority[] = {
GNUTLS_TLS1, GNUTLS_SSL3, 0
};
static const int kx_priority[] = {
GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA,
GNUTLS_KX_RSA_EXPORT, 0
};
static const int cipher_priority[] = {
GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128,
GNUTLS_CIPHER_ARCFOUR_40, 0
};
static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 };
static const int mac_priority[] =
{ GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 };
gnutls_cipher_set_priority(session, cipher_priority);
gnutls_compression_set_priority(session, comp_priority);
gnutls_kx_set_priority(session, kx_priority);
gnutls_protocol_set_priority(session, protocol_priority);
gnutls_mac_set_priority(session, mac_priority);
return 0;
}
|
